“I only live to keep down the price of gas”
Gang of Four, “cheesburger to go”
Archive for September, 2004
Here’s what I know so far:
First you should know that I am ignoring the Apple documentation, because I cannot get their recommendations to work.
My biggest problem is that I am trying to get a client that has existing user accounts to authenticate on the network using LDAP Bind authentication.
NetInfo stands in the way of this - AFAIK - this is why Apple’s recs are not working for me.
But I am making progress: I’ve turned on the OpenDirectory mapping to the LDAPv3 plugin, and things are starting to look very good. my LDAP server is reporting all the transactions that come across the wire, so I’m able to see what apple is searching for, etc. So far, my laptop has the attributes that it needs to get OD to start to try to get MCX data for it. But since I dont know what that looks like yet, I’m at a loss.
I think that this is what OD wants to do: He wants to start at the machine that you are one, and traverse the tree util he sees that that machine can get auth from the LDAP server, at which point, he’ll try a BIND.
It is taking some time to get to that point…
Anyway, if you want some debug logs so that you see what the client is doing to the LDAP server, leave a message up here, and I can get you the logs.
For the truly brave, try nidump’ing your netInfo db, deleting it, and starting your config from scratch. Actually, I’m half tempted to do this…
I’m gonna be out of town for a few days, and I wanted to make a post before I go, so here goes.
I am an avid websurfer and lover of pop culture, which is good, since my 13 y/o son has dubbed me “the anti-Dad”. Here’s a few of the nifty and odd sites that I have found and want to share…
Retrocrush
I am not sure if I agree with the #1 piece (Phil Collins? c’mon…), but this is an amazing site and will bring a smile to your face. Well researched, a bit blinky, but whatever.
I love Bacon!
Well, what can I say? Beside the double-entendre’, this guys sense of humor is pretty close to mine.
Homestarunner
Everybody! Everybody! (We sing this on the way to school on the morning.) Nice to get props from my son’s homeroom teacher, who has a The Cheat sticker on her car. Buy the hoodie.
I cant get OSX to BIND to the LDAP directory unless there is no user entry in NetInfo. So, my username is dbuttric, what I did is I changed my netinfo name to dbuttric-0.
Now when I try to login, I get BIND authentication.
The problem with this is that I can only do that after someone else has logged in to the machine I’m trying to login to.
So here’s the sequence of events:
reboot machine.
login as me -> failure.
login as root -> success (root has a netinfo entry)
logout of root.
login as me ->success.
Weird aint it? It only works AFTER you’ve logged in as someone else.
I’ll continue working on this…
Well, so here’s the latest from the research department. I’ve gotten as far as getting OpenLDAP to work using the Apple schema extensions.
The Apple extensiosn are dependent on two schema’s 1) the apple LDAP extensions. 2) the Samba schema.
The fortunate thing is that Apple is not really doing anything proprietary. They are extending two RFC’s that talk about how to use LDAP as an NIS.
But it is tricky. You can download the apple.schema file from Apple, but when you incorporate into a default OpenLDAP installation you get errors about undefined attributes of type ‘authAuthority’.
It turns out that you just need to edit the schema. The authAuthority attribute is defined AFTER it is instanced by an objectClass. As you know, this is illegal, you must define attributetypes first, then you can use them in objectclasses. So, you edit the schema: find where the ‘authAuthority’ is defined, and move it up to before the first objectClass that uses it.
Once you’ve done that, you can start the LDAP server. But you may get another error that says that acctFlag is undefined. This is why you need to incorporate the samba schema.
This is what my includes section of the slapd.conf looks like:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/apple.schema
If youre’s looks like this, and you have edited the apple.schema as I mentioned above, you should be OK.
Now, if I can just figure out how to get the system to BIND for authentication - it seems to just do a FIND when I login… It’s looking for something, and I dont know what…
It’s been a trying month so far, both financially and emotionally. Life goes on, the wheel spins, and I know that all of this stuff will work itself out, it’s just difficult sometimes. Thankfully I have been getting back in contact with my sisters, and I have some very close friends to help me through. Now if I could just keep my bank account in the black…
Anyone know a wealty benefactor who would like to help a dead broke dad make it through the first few years after a divorce and not declare personal bankruptcy? Maybe I should write to Oprah?
Well, as you can see below, I’vve had some free time on my hands.
During this hiatus, I’ve been messing with LDAP & OS X integration.
I think that I can basically fool my laptop into thinking that there is an OS X Server in the basement, even though its a linux box running netatalk, Samba, and LDAP
I’ll post more as I make progress.
Yeah, so it happens. The economy is not as good as some would have it.
I’ve been out of work for around 3 months now. I don’t know java - if I did, I’d have a job NOW.
Here’s a PDF of my resume. Download file.
I’ve been freelancing for the last few months, but projects are running dry. So things are getting interesting.
Thanks.
I’ve been to NYC three times since the WTC was destroyed, never seem to be able to make it down to the site, though it’s not for lack of trying.
The last time I was headed that way, I got floored by a display of memorial tiles made by school children that were hanging on a fence on the lower east side.
I guess I don’t want to really see it…too much like rubbernecking at a traffic accident.
Once again, Dave got the whole webserver/moveable type thing going like gangbusters. Now all of the three folks who read this site can have new stuff to look at.
Other recent developments over the course of the summer of no posts.
Another season of outdoor rock and roll video madness has come and will finish up on the new moon, the 16th, 17th and 18th of Sept. This is a better picture of the size of the screen…We watched Pink Floyd’s “The Wall” in widescreen, the soundman brought his DVD.
Continue reading ‘Go Dave!’
